Bug 625115
Summary: | cannot run virt-manager as regular user in a VNC session | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jeff Bastian <jbastian> | ||||
Component: | libvirt | Assignee: | Cole Robinson <crobinso> | ||||
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.0 | CC: | berrange, dallan, dyuan, eblake, ikke, lfarkas, myllynen, mzhan, rdassen, rwu, sputhenp, weizhan, whuang, xen-maint, yoyzhang, zpeng | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libvirt-0.9.10-1.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-20 06:24:39 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jeff Bastian
2010-08-18 16:01:51 UTC
polkit is running in my VNC session and trying to start a new agent complains that it's already running: $ ps auxwww | grep polkit gdm 8130 0.0 0.2 242560 7680 ? S Aug02 0:00 /usr/libexec/polkit-gnome-authentication-agent-1 root 8139 0.0 0.1 49856 4252 ? S Aug02 0:00 /usr/libexec/polkit-1/polkitd jbastian 13789 0.0 0.1 224204 5288 pts/0 S 10:34 0:00 /usr/libexec/polkit-gnome-authentication-agent-1 jbastian 16708 0.0 0.0 103152 832 pts/3 S+ 11:04 0:00 grep polkit $ /usr/libexec/polkit-gnome-authentication-agent-1 (polkit-gnome-authentication-agent-1:16752): GLib-GObject-WARNING **: cannot register existing type `_PolkitError' (polkit-gnome-authentication-agent-1:16752): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed ** (polkit-gnome-authentication-agent-1:16752): WARNING **: Unable to register authentication agent: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for session Cannot register authentication agent: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for session > virt-manager should ask for a password if it fails to authenticate instead of
> giving a misleading error message.
This isn't possible with the architecture of policykit. virt-manager connects to the libvirtd daemon over a UNIX socket and libvirtd then askes policy kit to authenticate the connection. So virt-manager itself is never involved in authenticating, it is all out-of-band via PolicyKit. This sounds like its a problem with PolicyKit within VNC server sessions, possibly because VNC won't start/register any ConsoleKit session.
I'm a newbie with polkit so I don't know if I'm opening up security holes, but with a bit of experimentation I was able to create a pkla file that lets me start virt-manager in my VNC session without a password: $ sudo cat /etc/polkit-1/localauthority/50-local.d/jbastian-libvirt.pkla [jbastian libvirt Permissions] Identity=unix-user:jbastian Action=org.libvirt.* ResultAny=yes ResultInactive=yes ResultActive=yes Yeah, this is probably a more generic problem with PolicyKit and VNC rather than virt-manager. I also noticed nm-applet was not running in my VNC session, so I tried starting it and got $ nm-applet ** (nm-applet:21517): WARNING **: <WARN> request_name(): Could not acquire the NetworkManagerUserSettings service. Error: (9) Connection ":1.495" is not allowed to own the service "org.freedesktop.NetworkManagerUserSettings" due to security policies in the configuration file This is interesting: PackageKit also had this problem in VNC sessions and was just updated to allow it, see bug 528511. I looked at the recent patch for PackageKit (see bug 528511) and tried making a similar change for libvirt. I removed my custom /etc/polkit-1/localauthority/50-local.d/jbastian-libvirt.pkla file, then I made the following changes: --- /usr/share/polkit-1/actions/org.libvirt.unix.policy.ORIG 2010-08-11 04:15:04.000000000 -0500 +++ /usr/share/polkit-1/actions/org.libvirt.unix.policy 2010-08-18 15:55:23.529641403 -0500 @@ -34,8 +34,8 @@ <defaults> <!-- Only a program in the active host session can use libvirt in read-write mode for management, and we require user password --> - <allow_any>no</allow_any> - <allow_inactive>no</allow_inactive> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> </action> I restarted polkitd and my VNC session and when I tried to start virt-manager, it asked for the root password! I entered the password and virt-manager started working. Can we make the above change to the libvirt policy? Changing componenet from virt-manager to libvirt. No, that change gives any local user full privileges to libvirtd. Since this is running as root and has the ability to change arbitrary host storage, networking, etc, you have effectively given all local users unauthenticated root access. Opps, no, i misread that. auth_admin is probably safe, provided you're using a secure remote channel (ie VNC + TLS/SSH). Yes, I always tunnel through ssh. Not only is it secure, I find it's easier than poking holes in the firewall to allow VNC traffic through. (And 'vncviewer -via ...' makes the tunneling easier than 'ssh -L ...') system-config-keyboard is not an example of good design/practice. It is using the legacy consolehelper code which forces the entire application to run as root, which is deprecated because it is not a secure design pattern. The current recommended architecture is to run a daemon privileged, and the desktop application unprivileged & use policykit for authentication between the two. This is what virt-manager correctly does. Assuming for a minute that the change proposed in comment 6 is correct, is that a libvirt change or a PolicyKit change? I.e., should we change the component? I think libvirt is the right component. $ rpm -qf /usr/share/polkit-1/actions/org.libvirt.unix.policy libvirt-0.8.1-27.el6.x86_64 Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as an exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. the problem was something similar to this for us. one of our user delete the /usr/libexec/polkit-gnome-authentication-agent-1 from the strartup application (or copy from his home form an older rhel/fedora etc). and it was _very_ hard to find the reason. it'd be useful to popup an error message that the policykit agent is not running while it should have to be. and in this case even through vnc it is working _without_ the changes in #6. Cole, what can we do here? Is this really a libvirt problem or is it virt-manager? Dave, this isn't specific to virt-manager since it's we rely entirely on libvirt and policykit. Though I'm pretty sure this is expected behavior from policykit, it isn't intended to allow entering a root password over something like VNC or SSH -X AIUI. Though it would be helpful if policykit, libvirt, or virt-manager could give a useful error about this limitation rather than the annoyingly opaque 'authentication failed'. But I'm not sure how to do that (In reply to comment #22) > Dave, this isn't specific to virt-manager since it's we rely entirely on > libvirt and policykit. Though I'm pretty sure this is expected behavior from > policykit, it isn't intended to allow entering a root password over something > like VNC or SSH -X AIUI. I just read over the transcript for bug 528511, and I agree with comment 6 and Dan's comment 9 that "auth_admin" is an acceptable fix, and it seems to have passed muster in bug 528511. I've granted devel ack. Created attachment 560024 [details] Allow polkit auth for SSH and VNC users Also upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=756e6ab467a27e8228bfa2704d1c4883355ac666 Verify this bug with : libvirt-0.9.10-1.el6.x86_64 Steps to Reproduce: 1. as a regular user on a RHEL 6 system: vncserver -geometry 1024x768 -depth 24 2. from another system: vncviewer $rhel6-hostname:1 3. in the VNC session virt-manager --debug 4. virt-manger can start up , vurt-manager ask passwd for root ,after input passwd , it can works well Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0748.html |